php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79207 Stackoverflow with header callback
Submitted: 2020-02-01 17:51 UTC Modified: 2020-02-04 14:06 UTC
From: changochen1 at gmail dot com Assigned:
Status: Open Package: Scripting Engine problem
PHP Version: master-Git-2020-02-01 (Git) OS: ALL
Private report: No CVE-ID: None
 [2020-02-01 17:51 UTC] changochen1 at gmail dot com
Description:
------------
The following test script triggers stack overflow in the latest code of php(PHP 8.0.0-dev (cli) (built: Jan 28 2020 14:15:44) ( NTS )). The crash locations varies each time we run it.

Run the script with "php -f poc.php", and with asan we got:

===
==121897==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd2563ae68 (pc 0x00000123867a bp 0x7ffd2563de60 sp 0x7ffd2563ae60 T0)
    #0 0x1238679 in execute_ex (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x1238679)
    #1 0xdf5a2f in zend_call_function (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xdf5a2f)
    #2 0x91a287 in zif_spl_autoload_call (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x91a287)
    #3 0xdf5c7d in zend_call_function (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xdf5c7d)
    #4 0xdf7f71 in zend_lookup_class_ex (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xdf7f71)
    #5 0xdfa8dd in zend_fetch_class_by_name (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xdfa8dd)
...
===

Test script:
---------------
<?
spl_autoload_register ( function () {
		header_register_callback ( function () {
				new a    ;
				}
				)    ;
		}
		) ;
class a implements b {       }


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-01 19:42 UTC] stas@php.net
-Type: Security +Type: Bug -Package: CGI/CLI related +Package: Scripting Engine problem
 [2020-02-04 14:06 UTC] nikic@php.net
-Summary: Stackoverflow in cli/php +Summary: Stackoverflow with header callback
 [2020-02-04 14:06 UTC] nikic@php.net
The stack overflow is principally due to bug #64196. However, there might be a header_register_callback specific issue here, because we probably shouldn't be recursing into the header callback when trying to emit a header while inside the callback.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 10 13:01:27 2024 UTC